On July 15, 2008 10:38:45 am Oil Supply wrote: > >> What is the new_oids section supposed to be used for? Because it looks > >> like I just add a name=oid and then for simple strings, add the > >> extension as name=<whatever> the man pages refer to this as well. That > >> is my confusion. > > > > That should work but it wont result in "name" being displayed on things > > like browsers: only OpenSSL will now about the mapping between name and > > the OID.Thanks again, Dr. Henson. > > Ok, so to add an extension to a certificate so that the human name > "fooname" will be displayed in a browser or by openssl x509 command, I > need to write some routines to encode the name and what-not. And that > is explained in doc/openssl.txt in the source tree? > No - you need to have it incorporated in an RFC or other standard that browsers and Certificate processing routines implement.
All you encode in the certificate is an OID and a value - the way that a program knows how to interpret and display it is built into the logic of the program, based on the definition a the standard. > Do you, by you, I mean anyone on the list, think having the human > readable name in the certificate is a requirement? > If you are including a value in there that is meant to be read by a person, then yes. If you are including a value in there that is meant to be interpretted and acted upon by a Relying Party computer program, then no - but then, as I said in my previous message, if you include a private extension, the chances of either of these being possible with a non-proprietary client is approximately nil. If your certificates are only ever being used by a proprietary client in a closed community, then feel free to add Private Extensions. If not, then it would probably be better to find a way to express what you want to convey using one of the standard extensions. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
